Build with lockfile if available for maven projects

[LogFlames]

Maven-lockfile is a project that generates lockfiles for maven projects which are not available natively.

To generate lockfile:

mvn io.github.chains-project:maven-lockfile:generate

Will produce lockfile.json containing all dependencies.

To build from lockfile:

mvn io.github.chains-project:maven-lockfile:freeze

Will produce pom.lockfile.xml, a flattened pom with all dependencies. This can then be used in maven with mvn -f pom.lockfile.xml clean package.

This is useful when a project has version ranges.

Version range example

Client pom.xml:

<dependency>
    <groupId>net.sf.jasperreports</groupId>
    <artifactId>jasperreports</artifactId>
    <version>[6.18.1,7.0.0)</version>
</dependency>

(Version range meaning any version X, which fulfills 6.18.1 <= X < 7.0.0, i.e. latest major version 6 release)

Client then uses a function that exists in version 6.18.1 of jasperreports. This works when 6.18.1 is the latest release.

Jasperreports then releases 6.19.1, which removes the function. The version range will use the latest version, and thus the project will not build.

---

Do you think it makes sense to build maven projects from lockfile if a lockfile exists?

How is your policy regarding lockfiles for npm and pypy projects?

[algomaster99]

There are two ways in the current infrastructure

1. Changing strategy.
   1. We look for lockfile.json and then we add attribute to MavenBuild strategy indicating we want to build with lockfile.
   2. We run generate goal to create a pom.lockfile.xml file and build using this file rather than pom.xml.
2. Have this as fallback step in the AI pipeline.

However, step 1.ii would require running another mvn command and we have hesitated to do this in the past with gradle when we had to know the artifact ID.
@LogFlames maybe we can have directly run mvn clean package --from-lockfile lockfile.json and this would automatically create pom.lockfile.xml and then build from it?